No minimum threshold for distribute function

Summary

The function distribute in its current form ensures that the amount to be distributed is greater than 0. However, it does not account for scenarios where the amount might be very small (e.g 1 or 1.0), which could lead to issues in the distribution process. Small amounts may lead to rounding errors.

Vulnerability Detail

If the amount is very small (e.g., 1 or 1.0), it could lead to negligible distributions which might not be effective or could incur unnecessary gas costs. For some tokens, transferring very small amounts might lead to precision issues or might be blocked by the token contract if it has minimum transfer amount requirements.

Impact

The impact can range from moderate to high depending on the frequency and context of these small distributions. If small distributions occur frequently, the cumulative gas costs and operational inefficiencies can become significant. This results in inefficient use of resources.

Code Snippet

function distribute() external returns (uint256 amount) {
    require(vestId != INVALID_VEST_ID, "VestedRewardsDistribution/invalid-vest-id");

    amount = dssVest.unpaid(vestId);
    require(amount > 0, "VestedRewardsDistribution/no-pending-amount");

    lastDistributedAt = block.timestamp;
    dssVest.vest(vestId, amount);

    require(gem.transfer(address(stakingRewards), amount), "VestedRewardsDistribution/transfer-failed");
    stakingRewards.notifyRewardAmount(amount);

    emit Distribute(amount);
}

https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/dba30d7a676c20dfed3bda8c52fd6702e2e85bb1/endgame-toolkit/src/VestedRewardsDistribution.sol#L152-L165

Tool used

Manual Review

Recommendation

Implement minimum amount threshold

sherlock-audit / 2024-06-makerdao-endgame-judging

newt - No minimum threshold for distribute function #49